keryx 0.29.8 → 0.29.10

package/config/observability.ts

@@ -4,4 +4,6 @@ export const configObservability = {
   enabled: await loadFromEnvIfSet("OTEL_METRICS_ENABLED", false),
   metricsRoute: await loadFromEnvIfSet("OTEL_METRICS_ROUTE", "/metrics"),
   serviceName: await loadFromEnvIfSet("OTEL_SERVICE_NAME", ""),
+  metricsAuthUsername: await loadFromEnvIfSet("OTEL_METRICS_AUTH_USERNAME", ""),
+  metricsAuthPassword: await loadFromEnvIfSet("OTEL_METRICS_AUTH_PASSWORD", ""),
 };

package/config/server/mcp.ts

@@ -17,5 +17,6 @@ export const configServerMcp = {
     "MCP_OAUTH_REFRESH_TTL",
     60 * 60 * 24 * 30,
   ), // 30 days, in seconds
+  oauthTrustProxy: await loadFromEnvIfSet("MCP_OAUTH_TRUST_PROXY", false),
   markdownDepthLimit: await loadFromEnvIfSet("MCP_MARKDOWN_DEPTH_LIMIT", 5),
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "keryx",
-  "version": "0.29.8",
+  "version": "0.29.10",
   "module": "index.ts",
   "type": "module",
   "license": "MIT",

package/servers/web.ts

@@ -1,6 +1,6 @@
+import { randomUUID } from "node:crypto";
 import { parse } from "node:url";
 import type { ServerWebSocket } from "bun";
-import { randomUUID } from "crypto";
 import { api, logger } from "../api";
 import { type HTTP_METHOD } from "../classes/Action";
 import { Connection } from "../classes/Connection";
@@ -11,6 +11,7 @@ import { config } from "../config";
 import type { PubSubMessage } from "../initializers/pubsub";
 import { ansi } from "../util/ansi";
 import { isOriginAllowed } from "../util/http";
+import { verifyBasicAuth } from "../util/webBasicAuth";
 import { compressResponse } from "../util/webCompression";
 import {
   buildError,
@@ -325,6 +326,23 @@ export class WebServer extends Server<ReturnType<typeof Bun.serve>> {
       config.observability.enabled &&
       parsedUrl.pathname === config.observability.metricsRoute
     ) {
+      if (
+        !verifyBasicAuth(
+          req,
+          config.observability.metricsAuthUsername,
+          config.observability.metricsAuthPassword,
+        )
+      ) {
+        return {
+          response: new Response("Unauthorized", {
+            status: 401,
+            headers: {
+              "WWW-Authenticate": 'Basic realm="Metrics"',
+              "Content-Type": "text/plain",
+            },
+          }),
+        };
+      }
       const body = await api.observability.collectMetrics();
       return {
         response: new Response(body || "", {

package/templates/scaffold/env.example.mustache

@@ -17,7 +17,7 @@ WEB_SERVER_ALLOWED_METHODS="GET, POST, PUT, DELETE, OPTIONS"
 
 MCP_SERVER_ENABLED=true
 
-SESSION_TTL=86400000
+SESSION_TTL=86400
 SESSION_COOKIE_NAME="__session"
 
 DATABASE_URL="postgres://$USER@localhost:5432/{{projectName}}"

package/util/config.ts

@@ -1,25 +1,24 @@
-/**
-Deep-merges source into target, mutating target in place.
-Only plain objects are recursively merged; arrays and primitives are overwritten.
-*/
-export function deepMerge<T extends Record<string, any>>(
+type MergeMode = "overwrite" | "defaults";
+
+function mergeWith<T extends Record<string, any>>(
   target: T,
   source: Record<string, any>,
+  mode: MergeMode,
 ): T {
   for (const key of Object.keys(source)) {
     const targetVal = target[key];
     const sourceVal = source[key];
-
-    if (
+    const bothPlainObjects =
       targetVal &&
       sourceVal &&
       typeof targetVal === "object" &&
       typeof sourceVal === "object" &&
       !Array.isArray(targetVal) &&
-      !Array.isArray(sourceVal)
-    ) {
-      deepMerge(targetVal, sourceVal);
-    } else {
+      !Array.isArray(sourceVal);
+
+    if (bothPlainObjects) {
+      mergeWith(targetVal, sourceVal, mode);
+    } else if (mode === "overwrite" || !(key in target)) {
       (target as any)[key] = sourceVal;
     }
   }
@@ -27,6 +26,17 @@ export function deepMerge<T extends Record<string, any>>(
   return target;
 }
 
+/**
+Deep-merges source into target, mutating target in place.
+Only plain objects are recursively merged; arrays and primitives are overwritten.
+*/
+export function deepMerge<T extends Record<string, any>>(
+  target: T,
+  source: Record<string, any>,
+): T {
+  return mergeWith(target, source, "overwrite");
+}
+
 /**
  * Like `deepMerge`, but only sets values that don't already exist in target.
  * Useful for applying plugin config defaults without overwriting user-set values.
@@ -35,28 +45,7 @@ export function deepMergeDefaults<T extends Record<string, any>>(
   target: T,
   source: Record<string, any>,
 ): T {
-  for (const key of Object.keys(source)) {
-    if (!(key in target)) {
-      (target as any)[key] = source[key];
-    } else {
-      const targetVal = target[key];
-      const sourceVal = source[key];
-
-      if (
-        targetVal &&
-        sourceVal &&
-        typeof targetVal === "object" &&
-        typeof sourceVal === "object" &&
-        !Array.isArray(targetVal) &&
-        !Array.isArray(sourceVal)
-      ) {
-        deepMergeDefaults(targetVal, sourceVal);
-      }
-      // If key exists in target and isn't a nested object, keep the target value
-    }
-  }
-
-  return target;
+  return mergeWith(target, source, "defaults");
 }
 
 /**

package/util/http.ts

@@ -35,10 +35,20 @@ export function buildCorsHeaders(
 }
 
 /**
- * Derive the external-facing origin for a request.
- * Respects reverse-proxy headers (`X-Forwarded-Proto` / `X-Forwarded-Host`)
- * so that URLs are correct when behind ngrok, a load balancer, etc.
- * Falls back to the parsed request-URL origin.
+ * Derive the external-facing origin for a request. Used to construct OAuth
+ * metadata URLs (issuer, endpoints) and the MCP `WWW-Authenticate` resource
+ * metadata URL.
+ *
+ * Resolution order:
+ * 1. `applicationUrl` config (when set to a non-localhost value).
+ * 2. `X-Forwarded-Proto` / `X-Forwarded-Host` (or `Host`) headers — only when
+ *    `config.server.mcp.oauthTrustProxy` is enabled. These headers are
+ *    spoofable by any client when the server is reachable directly, so
+ *    trusting them unconditionally would let an attacker poison OAuth
+ *    metadata and MCP `WWW-Authenticate` URLs. Operators must opt in via
+ *    `MCP_OAUTH_TRUST_PROXY=true` after confirming a reverse proxy strips
+ *    client-supplied forwarded headers.
+ * 3. The parsed request-URL origin.
  */
 export function getExternalOrigin(req: Request, url: URL): string {
   // Prefer explicitly configured APPLICATION_URL (for proxy/tunnel scenarios
@@ -48,17 +58,18 @@ export function getExternalOrigin(req: Request, url: URL): string {
     return new URL(appUrl).origin;
   }
 
-  // Fall back to reverse-proxy headers
-  const forwardedProto = req.headers.get("x-forwarded-proto");
-  const forwardedHost =
-    req.headers.get("x-forwarded-host") || req.headers.get("host");
+  if (config.server.mcp.oauthTrustProxy) {
+    const forwardedProto = req.headers.get("x-forwarded-proto");
+    const forwardedHost =
+      req.headers.get("x-forwarded-host") || req.headers.get("host");
 
-  if (forwardedProto && forwardedHost) {
-    return `${forwardedProto}://${forwardedHost}`;
-  }
+    if (forwardedProto && forwardedHost) {
+      return `${forwardedProto}://${forwardedHost}`;
+    }
 
-  if (forwardedHost) {
-    return `${url.protocol}//${forwardedHost}`;
+    if (forwardedHost) {
+      return `${url.protocol}//${forwardedHost}`;
+    }
   }
 
   return url.origin;

package/util/webBasicAuth.ts

@@ -0,0 +1,53 @@
+import { timingSafeEqual } from "node:crypto";
+
+// Pads to a common length so we don't leak the expected length via early-return.
+function timingSafeStringEqual(a: string, b: string): boolean {
+  const aBuf = Buffer.from(a, "utf8");
+  const bBuf = Buffer.from(b, "utf8");
+  const len = Math.max(aBuf.length, bBuf.length, 1);
+  const aPadded = Buffer.alloc(len);
+  const bPadded = Buffer.alloc(len);
+  aBuf.copy(aPadded);
+  bBuf.copy(bPadded);
+  return timingSafeEqual(aPadded, bPadded) && aBuf.length === bBuf.length;
+}
+
+/**
+ * Verifies an HTTP Basic auth `Authorization` header against expected credentials
+ * using a constant-time string compare.
+ *
+ * @param req - The incoming `Request`. Read for its `Authorization` header.
+ * @param expectedUsername - The username to match. If empty, auth is treated as
+ *   disabled and the function returns `true`.
+ * @param expectedPassword - The password to match. If empty, auth is treated as
+ *   disabled and the function returns `true`.
+ * @returns `true` when auth is disabled (either credential empty) or when the
+ *   header carries valid `Basic <base64>` credentials matching both expected
+ *   values. `false` for any malformed, missing, or wrong header.
+ */
+export function verifyBasicAuth(
+  req: Request,
+  expectedUsername: string,
+  expectedPassword: string,
+): boolean {
+  if (!expectedUsername || !expectedPassword) return true;
+
+  const header = req.headers.get("Authorization");
+  if (!header?.startsWith("Basic ")) return false;
+
+  let decoded: string;
+  try {
+    decoded = atob(header.slice(6).trim());
+  } catch {
+    return false;
+  }
+
+  const idx = decoded.indexOf(":");
+  if (idx === -1) return false;
+  const user = decoded.slice(0, idx);
+  const pass = decoded.slice(idx + 1);
+
+  const userOk = timingSafeStringEqual(user, expectedUsername);
+  const passOk = timingSafeStringEqual(pass, expectedPassword);
+  return userOk && passOk;
+}

package/util/webRouting.ts

@@ -112,6 +112,28 @@ async function readBodyWithLimit(req: Request): Promise<string> {
   return new TextDecoder().decode(merged);
 }
 
+/**
+ * Merge a value into the params object under `key`, appending to any existing
+ * value rather than replacing it. If `key` is not set, assigns `value` as-is.
+ * If it is set, produces an array containing the existing value(s) followed by
+ * the incoming value(s). Used to fold body, form-data, and query string
+ * sources into a single params object while preserving repeated keys.
+ */
+function appendParam(
+  params: Record<string, unknown>,
+  key: string,
+  value: unknown,
+): void {
+  if (params[key] === undefined) {
+    params[key] = value;
+    return;
+  }
+  const incoming = Array.isArray(value) ? value : [value];
+  params[key] = Array.isArray(params[key])
+    ? [...(params[key] as unknown[]), ...incoming]
+    : [params[key], ...incoming];
+}
+
 /**
  * Parse request parameters from path params, request body (JSON or form-data),
  * and query string into a single plain object.
@@ -179,44 +201,12 @@ export async function parseRequestParams(
     }
 
     const f = await req.formData();
-    f.forEach((value, key) => {
-      if (params[key] !== undefined) {
-        if (Array.isArray(params[key])) {
-          (params[key] as unknown[]).push(value);
-        } else {
-          params[key] = [params[key], value];
-        }
-      } else {
-        params[key] = value;
-      }
-    });
+    f.forEach((value, key) => appendParam(params, key, value));
   }
 
   if (url.query) {
     for (const [key, values] of Object.entries(url.query)) {
-      if (values !== undefined) {
-        if (Array.isArray(values)) {
-          if (params[key] !== undefined) {
-            if (Array.isArray(params[key])) {
-              (params[key] as unknown[]).push(...values);
-            } else {
-              params[key] = [params[key], ...values];
-            }
-          } else {
-            params[key] = values;
-          }
-        } else {
-          if (params[key] !== undefined) {
-            if (Array.isArray(params[key])) {
-              (params[key] as unknown[]).push(values);
-            } else {
-              params[key] = [params[key], values];
-            }
-          } else {
-            params[key] = values;
-          }
-        }
-      }
+      if (values !== undefined) appendParam(params, key, values);
     }
   }